Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 3.6 Locks Out Rogue Add-ons

Posted by CmdrTaco on from the and-stay-out dept.

CWmike writes "Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said. Dubbed 'component directory lockdown,' the feature will bar access to Firefox's 'components' directory, where most of the browser's own code is stored. Mozilla has billed the move as a way to boost the stability of its browser. 'We're doing this for stability and user control [reasons],' said Johnathan Nightingale, manager of the Firefox front-end development team. 'Dropping raw components in this way was never an officially supported way of doing things, which means it lacks things like a way to specify compatibility. When a new version of Firefox comes out that these components aren't compatible with, the result can be a real pain for our shared users ... Now that those components will be packaged like regular add-ons, they will specify the versions they are compatible with, and Firefox can disable any that it knows are likely to cause problems.'"

14 of 265 comments (clear)

  1. .NET Anyone? by Daengbo · · Score: 5, Insightful

    Last February, and again in May, Firefox users complained when they found that Microsoft had pushed the .Net Framework Assistant add-on and the Windows Presentation Foundation (WPF) plug-in to their browsers as part of the .NET Framework 3.5 Service Pack 1 (SP1) update, which was delivered via Windows Update.

    That's the first thing I thought of when I read the summary.

    --
    Put identity in the browser.
    1. Re:.NET Anyone? by NoYob · · Score: 4, Insightful

      The first thing I thought of was those Yahoo! toolbars that folks love to slip into every browser.

      --
      It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
    2. Re:.NET Anyone? by maxume · · Score: 5, Informative

      Those components were installed by editing the Windows registry, not 'dropped in' as is discussed here (Firefox looks in various locations to find plug-ins and addons to load).

      --
      Nerd rage is the funniest rage.
    3. Re:.NET Anyone? by sopssa · · Score: 4, Informative

      Well, as no one reads the article, this doesn't concern .NET update in any way:

      In actuality, Microsoft did not drop its code into Firefox's components directory, Nightingale confirmed. "The .Net Framework and WPF use our existing extension/plug-in mechanisms, that's why we were able to disable them when they were found to be vulnerable," he said in a follow-up e-mail. "They aren't impacted by this change."

    4. Re:.NET Anyone? by Anonymous Coward · · Score: 5, Funny

      What do you mean? As far as I know, in all the instances where a toolbar is bundled with some other software, the toolbar installation is clearly mentioned in the software EULA, so each time the toolbar is installed, the user agreed that he wanted it. As a developer for a Web optimizer plugin, this Firefox change will make it much harder for us to reach our users.

    5. Re:.NET Anyone? by trevdak · · Score: 5, Insightful

      Regardless, there should've been a prompt to ask if you wanted to install it, and there damn well should be a working uninstall button.

    6. Re:.NET Anyone? by mqduck · · Score: 5, Insightful

      the toolbar installation is clearly mentioned in the software EULA, so each time the toolbar is installed, the user agreed that he wanted it. As a developer for a Web optimizer plugin, this Firefox change will make it much harder for us to reach our users.

      I fail to see the downside for anybody but you, and you make it sound like you clearly deserve it.

      --
      Property is theft.
    7. Re:.NET Anyone? by Miamicanes · · Score: 4, Insightful

      > What do you mean? As far as I know, in all the instances where a toolbar is bundled with some other
      > software, the toolbar installation is clearly mentioned in the software EULA, so each time the toolbar
      > is installed, the user agreed that he wanted it. As a developer for a Web optimizer plugin, this Firefox
      > change will make it much harder for us to reach our users.

      Q. What's the difference between a 'trojan' and 'malware'?

      A. Malware has a EULA.

      I can't even *begin* to emphasize how badly it pisses me off when some app tries to sneak BHOs and plugins into their installer... almost always in ways that someone in a hurry to install the app that's actually *desired* will overlook. I flat-out refuse to ever use Yahoo and Google's toolbars, *precisely* because they have so many people trying to ram them down my throat and trick me into installing them.

    8. Re:.NET Anyone? by andi75 · · Score: 4, Insightful

      If it's "mentioned in the EULA" it might as well be "on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'". About the same amount of people will be able to read & understand it.

  2. User perspective by omfglearntoplay · · Score: 5, Insightful

    From a user perspective, this sounds like a good move. Stability problems in Firefox always seems to stem from add-ons or extensions. Lock that crap down, and make the devs code the right way.

  3. Re:Effects on Add-on Development by BitZtream · · Score: 4, Informative

    The MS plugin is not effected by this. It did things in the proper way, the documented method for adding system wide extensions rather than user level extensions. That is why Mozilla could easily disable the insecure version of the plugin, because it actually followed the rules.

    MS just added a registry key that pointed at the files for the extension, which is well documented and used by many other pieces of software to allow plugins to be installed even before Firefox, and allowing any version of Firefox (or Thunderbird or whatever) to find them, even after installation into some random directory.

    If you bother to read the article, it says the same. Google Desktop Search on the other hand, doesn't follow the rules and will be blocked unless Mozilla makes a work around for them or Google updates GDS to follow the rules.

    This is essentially like not allowing code from anyone other than MS to be dropped into the Windows directory, and requiring it to be put somewhere else and properly registered with the system rather than throwing it in the system32 directory and loading it as if it were trusted code from MS.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  4. Re:I want a mechanism for pluck-outs... by jamstar7 · · Score: 5, Funny

    The pony should be a plugin

    The mental image that came to mind when I saw that convinces me that I watch WAY too much porn...

    --
    Understanding the scope of the problem is the first step on the path to true panic.
  5. Re:I want a mechanism for pluck-outs... by Lord+Bitman · · Score: 4, Interesting

    The awesome bar, and most of the other firefox bloat, should be plugins. Firefox had this great plugin architecture which everyone and their dog used- except the firefox devs.
    Why doesn't firefox ship with an array of "default" plugins, all of which can be disabled? There's no need for something like awesomebar to be core, is there?

    --
    -- 'The' Lord and Master Bitman On High, Master Of All
  6. Re:That was the idea behind Firefox/Firebird/Phoen by Reapman · · Score: 4, Insightful

    Tired of reading these sorts of comments. Sure there's some "bloat", but what that bloat is varies by opinion. I've read where supporting CSS is "bloat". Graphics are "bloat". tabs are "bloat". RSS. etc.

    My understanding (and please tell me if I'm wrong) is the point of Firefox was to supply a WEB BROWSER. Back then when you downloaded it you also got an email program, news reader, wysiwyg website builder, etc. Firefox was JUST a browser. Still is.

    If you REALLY want where everything is an option go build it yourself. Have something where you choose which renderer you want (Moz's, Webkit, etc), whether or not to have tabs, allow plugins, command line version, etc. Hit next a few times and presto your very own browser.